Infrastructure protectionStuxnet-like cyberattack on German steel plant deepens security concerns

Published 9 January 2015

Critical infrastructure operations around the world are increasingly facing threats from cyber criminals. In 2014, a steel plant in Germany was attacked by hackers using spear-phishing to gain access to the office network of the plant. Once inside the network, the hackers hijacked the plant’s production process. The attack led to control components and several production machines shutting down. The outages then prevented the plant from appropriately shutting down a blast furnace, causing “massive damage to the system,” according to a report by Germany’s Federal Office for Information Security(BSI).The attack on the steel plant is only the fourth known attack specifically directed at industrial control systems (ICS) components – and only the second confirmed digital attack – the first was Stuxnet — to have caused physical damage to machinery and equipment.

Critical infrastructure operations around the world are increasingly facing threats from cyber criminals. In 2014, a steel plant in Germany was attacked by hackers using spear-phishing to gain access to the office network of the plant. Once inside the network, the hackers hijacked the plant’s production process. The attack led to control components and several production machines shutting down. The outages then prevented the plant from appropriately shutting down a blast furnace, causing “massive damage to the system,” according to a report by Germany’s Federal Office for Information Security (BSI).

The precise scope of the damage to the plant is unclear. The physical damage to the blast furnace seemed to be an unintended side effect of the breach, said Germany-based Gartner analyst Oliver Rochford. The attack was certainly conducted by someone with advanced technical knowledge of not only conventional IT security, but also industrial control systems (ICS), and production processes, Security Week reported. Rochford believes the breach was likely issued for competitive reasons.

In order to do such a damage, it is not simply to know a lot of Windows systems. Yes, all started by infecting the computers in the office, but after that, things get complicated. Usually, those computers don’t run Windows, but some special real time operating systems like QNX, OSE or VxWorks. Not an easy task to write code for these,” said IT security consultant Sorin Mustaca. “But writing code is not the biggest problem here, the complex part is to know how to control those industrial devices. For a furnace, to know how to control it requires special knowledge which can’t be just read in some books.”

Though the plant’s name has not been disclosed, Germany’s Federal Office for Information Security (BSI) published details of the incident in a recent IT security report. In the same report, BSI noted that several German firms have been the targets of a cyber-espionage campaign known as Energetic Bear or Dragonfly (see “Russian hackers attack Western energy companies in 84 countries,” HSNW, 2 July 2014; and “The smart grid offers convenience, but it also makes cyberattacks more likely,” HSNW, 25 July 2014). The attacks, which target ICS operators particularly in the energy sector, relied on malware known as Havex. Last June, PC World reported that hackers have started to use Havex against firms that use or develop industrial applications and machines. Researchers with F-Secureat the time noted that of the European-based organizations that have fallen victim to Havex, “two are major educational institutions in France that are known for technology-related research,” one is a Russian construction company that appears to specialize in structural engineering, one is a French industrial machine producer, and two are German industrial application or machine producers.

Dragos Security co-founder Robert M. Lee, writing in his blog post, highlighted the most important aspect of the attack on the German steel plant:

So far, there is no discussion of what type of capability the adversaries used past the spear phishing, such as specific malware, and the attacker may have just been directly connecting into the facility to cause the damage through interaction with the human machine interface or other control systems. However, if there was malware that was involved and targeted towards ICS specifically this would then be only the fourth public instance. Stuxnet, HAVEX, and BlackEnergy were the other three pieces of malware that had specific ICS targeted components.

As Lee notes, the attack on the steel plant is only the fourth known attack specifically directed at ICS components. It is, however, only the second confirmed digital attack – the first was Stuxnet — to have caused physical damage to machinery (see “Report details history, earlier versions of Stuxnet,” HSNW, 28 February 2013).

There are two other cases in which, reportedly, physical damage was done by digital means: The Trans-Siberian-Pipeline explosion in 1982, and the BTC Turkey pipeline explosion in 2008 (see “2008 Turkish oil pipeline explosion may have been Stuxnet precursor,” HSNW, 17 December 2014). In both cases, however, information was scant,technical analysis unavailable, and questions were raised about the reliability of the reporting sources.